Commit 79373ca3bd for openssl.org
commit 79373ca3bd4c26e9a4896e4c198828909cc6deec
Author: slontis <shane.lontis@oracle.com>
Date: Mon Jun 29 09:50:07 2026 +1000
FIPS: EC keygen - remove unnecessary self tests.
In FIPS mode EC keygen was doing 3 self tests.
ec_generate_key() was calling both ecdsa_keygen_pairwise_test() and
ecdsa_keygen_knownanswer_test(). The KAT did a key recomputation and
comparison with the generated key, as per Sp80056Ar3 section 5.6.2.1.4.
These tests covered both Keygen PCT for Key Agreement and Signatures.
ossl_ec_key_pairwise_check() was also being called from within ec_gen().
The advice from Atsec (lab) is that the sign/verify test within
ecdsa_keygen_pairwise_test() is sufficient according to the updated
rules in FIPS 140-3 IG 10.3.A Additional comment 1, Since the usage of
the generated key is unknown at the time of key generation.
Detected during testing of Jipher by Roshith Alankandy (Oracle).
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jul 13 14:47:00 2026
(Merged from https://github.com/openssl/openssl/pull/31761)
diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c
index f5175653fa..44791a2c3e 100644
--- a/crypto/ec/ec_key.c
+++ b/crypto/ec/ec_key.c
@@ -213,56 +213,6 @@ int ossl_ec_key_gen(EC_KEY *eckey)
return ret;
}
-/*
- * Refer: FIPS 140-3 IG 10.3.A Additional Comment 1
- * Perform a KAT by duplicating the public key generation.
- *
- * NOTE: This issue requires a background understanding, provided in a separate
- * document; the current IG 10.3.A AC1 is insufficient regarding the PCT for
- * the key agreement scenario.
- *
- * Currently IG 10.3.A requires PCT in the mode of use prior to use of the
- * key pair, citing the PCT defined in the associated standard. For key
- * agreement, the only PCT defined in SP 800-56A is that of Section 5.6.2.4:
- * the comparison of the original public key to a newly calculated public key.
- */
-static int ecdsa_keygen_knownanswer_test(EC_KEY *eckey, BN_CTX *ctx,
- OSSL_CALLBACK *cb, void *cbarg)
-{
- int len, ret = 0;
- OSSL_SELF_TEST *st = NULL;
- unsigned char bytes[512] = { 0 };
- EC_POINT *pub_key2 = NULL;
-
- st = OSSL_SELF_TEST_new(cb, cbarg);
- if (st == NULL)
- return 0;
-
- OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT_KAT,
- OSSL_SELF_TEST_DESC_PCT_ECDSA);
-
- if ((pub_key2 = EC_POINT_new(eckey->group)) == NULL)
- goto err;
-
- /* pub_key = priv_key * G (where G is a point on the curve) */
- if (!EC_POINT_mul(eckey->group, pub_key2, eckey->priv_key, NULL, NULL, ctx))
- goto err;
-
- if (BN_num_bytes(pub_key2->X) > (int)sizeof(bytes))
- goto err;
- len = BN_bn2bin(pub_key2->X, bytes);
- if (OSSL_SELF_TEST_oncorrupt_byte(st, bytes)
- && BN_bin2bn(bytes, len, pub_key2->X) == NULL)
- goto err;
- ret = !EC_POINT_cmp(eckey->group, eckey->pub_key, pub_key2, ctx);
-
-err:
- OSSL_SELF_TEST_onend(st, ret);
- OSSL_SELF_TEST_free(st);
- EC_POINT_free(pub_key2);
- return ret;
-}
-
/*
* ECC Key generation.
* See SP800-56AR3 5.6.1.2.2 "Key Pair Generation by Testing Candidates"
@@ -359,8 +309,7 @@ static int ec_generate_key(EC_KEY *eckey, int pairwise_test)
void *cbarg = NULL;
OSSL_SELF_TEST_get_callback(eckey->libctx, &cb, &cbarg);
- ok = ecdsa_keygen_pairwise_test(eckey, cb, cbarg)
- && ecdsa_keygen_knownanswer_test(eckey, ctx, cb, cbarg);
+ ok = ecdsa_keygen_pairwise_test(eckey, cb, cbarg);
}
err:
/* Step (9): If there is an error return an invalid keypair. */
diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
index 57ff812793..28404502eb 100644
--- a/providers/implementations/keymgmt/ec_kmgmt.c
+++ b/providers/implementations/keymgmt/ec_kmgmt.c
@@ -1325,18 +1325,6 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
if (gctx->group_check != NULL)
ret = ret && ossl_ec_set_check_group_type_from_name(ec, gctx->group_check);
-#ifdef FIPS_MODULE
- if (ret > 0
- && !ossl_fips_self_testing()
- && EC_KEY_get0_public_key(ec) != NULL
- && EC_KEY_get0_private_key(ec) != NULL
- && EC_KEY_get0_group(ec) != NULL) {
- BN_CTX *bnctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(ec));
-
- ret = bnctx != NULL && ossl_ec_key_pairwise_check(ec, bnctx);
- BN_CTX_free(bnctx);
- }
-#endif /* FIPS_MODULE */
if (ret > 0)
return ec;
diff --git a/test/pairwise_fail_test.c b/test/pairwise_fail_test.c
index 3173225a0c..3446d23166 100644
--- a/test/pairwise_fail_test.c
+++ b/test/pairwise_fail_test.c
@@ -99,8 +99,6 @@ static int test_keygen_pairwise_failure(void)
if (!TEST_ptr_null(pkey = EVP_PKEY_Q_keygen(libctx, NULL, "RSA", (size_t)2048)))
goto err;
} else if (strncmp(pairwise_name, "ec", 2) == 0) {
- if (strcmp(pairwise_name, "eckat") == 0)
- type = OSSL_SELF_TEST_TYPE_PCT_KAT;
if (!TEST_true(setup_selftest_pairwise_failure(type)))
goto err;
if (!TEST_ptr_null(pkey = EVP_PKEY_Q_keygen(libctx, NULL, "EC", "P-256")))
diff --git a/test/recipes/30-test_pairwise_fail.t b/test/recipes/30-test_pairwise_fail.t
index eaf0dbbb42..ca2d1f96e4 100644
--- a/test/recipes/30-test_pairwise_fail.t
+++ b/test/recipes/30-test_pairwise_fail.t
@@ -22,7 +22,7 @@ use lib bldtop_dir('.');
plan skip_all => "These tests are unsupported in a non fips build"
if disabled("fips");
-plan tests => 9;
+plan tests => 8;
my $provconf = srctop_file("test", "fips-and-base.cnf");
run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]),
@@ -37,17 +37,11 @@ SKIP: {
}
SKIP: {
- skip "Skip EC test because of no ec in this build", 2
+ skip "Skip EC test because of no ec in this build", 1
if disabled("ec");
ok(run(test(["pairwise_fail_test", "-config", $provconf,
"-pairwise", "ec"])),
"fips provider ec keygen pairwise failure test");
-
- skip "FIPS provider version is too old", 1
- if !$fips_exit;
- ok(run(test(["pairwise_fail_test", "-config", $provconf,
- "-pairwise", "eckat"])),
- "fips provider ec keygen kat failure test");
}
SKIP: {